Support for client certificate authentication

2016-06-15 22:38:40 +02:00
parent 8e333d0a03
commit 959c7dc783
4 changed files with 65 additions and 3 deletions
--- a/server.go
+++ b/server.go
@@ -5,8 +5,10 @@ package main

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -298,6 +300,22 @@ func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, rou
 		config.Certificates = append(config.Certificates, cert)
 	}

+	if len(tlsOption.ClientCAFiles) > 0 {
+		pool := x509.NewCertPool()
+		for _, caFile := range tlsOption.ClientCAFiles {
+			data, err := ioutil.ReadFile(caFile)
+			if err != nil {
+				return nil, err
+			}
+			ok := pool.AppendCertsFromPEM(data)
+			if !ok {
+				return nil, errors.New("invalid certificate(s) in " + caFile)
+			}
+		}
+		config.ClientCAs = pool
+		config.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
 	if server.globalConfiguration.ACME != nil {
 		if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok {
 			if entryPointName == server.globalConfiguration.ACME.EntryPoint {